[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [saml-dev] "previously established an identifier usable by the requester"?
Just to help
facilitate this discussion, I’ve included below all the relevant parts of
the specification that I could find about this issue.
Core
3.4.1.1 Element <NameIDPolicy> … AllowCreate
[Optional] A Boolean value used to indicate
whether the identity provider is allowed, in the course of fulfilling the
request, to create a new identifier to represent the principal. Defaults to
"false". When "false", the requester constrains the
identity provider to only issue an assertion to it if an acceptable identifier
for the principal has already been established. Note that this does not prevent
the identity provider from creating such identifiers outside the context of
this specific request (for example, in advance for a large number of
principals). … Note that if the requester wishes
to permit the identity provider to establish a new identifier for the principal
if none exists, it MUST include this element with the AllowCreate
attribute set to "true".
Otherwise, only a principal for whom the identity provider has previously
established an identifier usable by the requester can be authenticated
successfully. This is primarily useful in conjunction with the urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
Format value (see Section 8.3.7). 3.6 Name Identifier Management Protocol After
establishing a name identifier for a principal, an identity provider wishing to
change the value and/or format of the identifier that it will use when
referring to the principal, or to indicate that a name identifier will no
longer be used to refer to the principal, informs service providers of the
change by sending them a <ManageNameIDRequest> message. A
service provider also uses this message to register or change the SPProvidedID value to be included when the underlying name identifier is used
to communicate with it, or to terminate the use of a name identifier between
itself and the identity provider. Note
that this protocol is typically not used with "transient" name
identifiers, since their value is not intended to be managed on a long term
basis. 3.6.3 Processing Rules … If the service provider requests
that its identifier for the principal be changed by including a <NewID>
(or <NewEncryptedID>)
element, the identity provider MUST include the element's content as the SPProvidedID
when subsequently communicating to the service provider
regarding this principal. 8.3.7 Persistent Identifier URI: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Indicates
that the content of the element is a persistent opaque identifier for a
principal that is specific to an identity provider and a service provider or
affiliation of service providers. Persistent name identifiers generated by
identity providers MUST be constructed using pseudo-random values that have no
discernible correspondence with the subject's actual identifier (for example,
username). The intent is to create a non-public, pair-wise pseudonym to prevent
the discovery of the subject's identity or activities. Persistent
name identifier values MUST NOT exceed a length of 256 characters. The
element's NameQualifier attribute, if present, MUST contain the unique identifier of the
identity provider that generated the identifier (see Section 8.3.6). It MAY be
omitted if the value can be derived from the context of the message containing
the element, such as the issuer of a protocol message or an assertion
containing the identifier in its subject. Note that a different system entity
might later issue its own protocol message or assertion containing the
identifier; the NameQualifier attribute does not change in this case, but MUST continue to
identify the entity that originally created the identifier (and MUST NOT be
omitted in such a case). The
element's SPNameQualifier
attribute, if present, MUST contain the
unique identifier of the service provider or affiliation of providers for whom
the identifier was generated (see Section 8.3.6). It MAY be omitted if the
element is contained in a message intended only for consumption directly by the
service provider, and the value would be the unique identifier of that service
provider. The
element's SPProvidedID attribute MUST contain the alternative identifier of the principal
most recently set by the service provider or affiliation, if any (see Section
3.6). If no such identifier has been established, then the attribute MUST be
omitted. Profiles
4.1 Web Browser SSO Profile …
During this process, a name identifier might also be established between the
providers for the principal, subject to the parameters of the interaction and
the consent of the parties. 4.1.4.1 <AuthnRequest> Usage … If the service provider wishes to
permit the identity provider to establish a new identifier for the principal if
none exists, it MUST include a <NameIDPolicy> element
with the AllowCreate attribute set
to "true". Otherwise, only a principal for whom the identity provider
has previously established an identifier usable by the service provider can be
authenticated successfully. 4.5 Name Identifier Management Profile In
the scenario supported by the Name Identifier Management profile, an identity
provider has exchanged some form of persistent identifier for a principal with
a service provider, allowing them to share a common identifier for some length
of time. Subsequently, the identity provider may wish to notify the service
provider of a change in the format and/or value that it will use to identify
the same principal in the future. Alternatively
the service provider may wish to attach its own "alias" for the
principal in order to ensure that the identity provider will include it when
communicating with it in the future about the principal. Finally, one of the
providers may wish to inform the other that it will no longer issue or accept
messages using a particular identifier. To implement these scenarios, a profile
of the SAML Name Identifier Management protocol is used. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]